I thought this was timely given this week’s topic. OWASP recently refreshed their list of web application vulnerabilities which saw Code Injection Vulnerabilities being replaced by Broken Access Control as #1.
The article notes that this shifting in order was not due to “solving” Code Injection Vulnerabilities, but rather it illustrates how widespread Broken Access Control is in the field. Broken Access Control “encompasses a wide range of coding flaws” that could “enable attackers to modify a URL, internal application state, or part of an HTML page.” The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
The updated OWASP list also debuted new categories on the list, including Insecure Design, Software & Data Integrity Failure, and Server-Side Request Forgery.
Author: Matias Madou
Published: October 20, 2021